Timeout value is ignored in the User-ID Agent when users are added via XML-API

Timeout value is ignored in the User-ID Agent when users are added via XML-API

8582
Created On 09/25/18 19:47 PM - Last Modified 12/07/20 23:54 PM


Symptom
The timeout value is ignored in the User-ID Agent when users are added via XML-API.

User-ID updates sent to the User-ID Agent via XML with a timeout value are not removed from the User-ID Agent when the timeout expires but they are removed on the Palo Alto Networks firewall.
 


Environment
  • Windows-based User-ID agent.
  • Any version


Cause
The User-ID Agent does not proactively time out entries. However, it keeps track of each entry's time-stamp and the timeout value. When the User-ID Agent receives a get-all or query-IP, each entry will be examined and deleted if it has timed out.

Resolution

To trigger a get-all, perform one of the following steps:

  1. Close and reopen the User-Id Agent GUI. This will trigger a get-all to the agent service and the timed-out entries will be deleted.
  2. Run the following command on the Palo Alto Networks firewall to trigger a get-all:
> debug user-id refresh user-id agent <name>

In this case, the agent service will delete the timed-out entries and then inform all connected firewalls. The User-ID Agent GUI will show that all entries for timed-out users are removed.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000CldI&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language